OHDSI Home | Forums | Wiki | Github

Atlas WebAPI Active Directory (AD) Login

Implementers
,
#1

Hello,

We are trying to set up our Atlas instance to use our active directory to manage user login ins. I’m trying to make sure I correctly understand our options.

  • Is there an option for Atlas to redirect to our organizational active directory login page? If so, which security configuration is this?

  • If we set up an AD user and an AD user group, we do not need to store individual usernames and passwords in a secondary database or in Atlas, correct? We can use the Atlas AD option to connect to our AD to have users managed internally?

I’ve reviewed the documentation here Security Configuration · OHDSI/WebAPI Wiki · GitHub and done some searching on the forums, but am still a bit fuzzy on details.

If anyone who has used AD in their Atlas instance can advise, I would really appreciate it! Thank you!!

@anthonysena @pavgra @Chris_Knoll

#2

CAS will redirect to a SSO server. I only have experience with that and the AD and LDAP options. I detailed a lot of what I learned in a recent post on the subject. Every authenticated user using a service gets immediately recorded as a user (but no password) in the WebAPI DB if not already imported via AD/LDAP import.

Once the authentication issue is solved, then authorization needs to be coordinated with the user who signed in so the right permissions can be assigned. If your organization’s AD has inconsistencies, you might experience issues with certain users. So if you use CAS, it will return an ID to WebAPI/Atlas. If that ID doesn’t match the ID that same person may have in the AD group whose members you want to assign to a role, that person may need manual reconciliation to get the correct roles assigned. This can happen because there may be several AD entries for a person, and one of those may be used for SSO while a different one may be assigned to the AD group, so that person in the WebAPI DB would have two distinct records.

#3
  • Is there an option for Atlas to redirect to our organizational active directory login page? If so, which security configuration is this?

AD does not support it. You can use ADFS with SAML for this purpose. ATLAS/WebAPI support SAML integration.

  • If we set up an AD user and an AD user group, we do not need to store individual usernames and passwords in a secondary database or in Atlas, correct?

Correct. With AD integration, there is no need to store any users data in secondary database.

We can use the Atlas AD option to connect to our AD to have users managed internally?

You can setup user/roles synchronization with AD groups.

t